Studies have shown that developers of software applications heavily rely on the use of third-party libraries. In some cases, the number of third-party libraries can number in the hundreds, for example. However, a security vulnerability in any of the libraries used by an application may compromise the security of the entire application. In some examples, if a vulnerability is detected, a patch can be developed and deployed to mitigate the risk that such a vulnerability poses.
In order to determine the actual impact of a vulnerability of a library on a given application, application and security experts analyze every third-party library vulnerability in detail. This impact assessment, however, is complicated by a number a factors such as, for example, short and incomprehensible vulnerability descriptions, or the fact that dependencies on third-party libraries can be transitive (rather than direct).
Such difficulties can result in inaccurate impact assessments such as, for example, false-negatives and false-positives. False-positives are cases in which experts wrongly judge that a vulnerability impacts the application. Consequently, false-positives represent wasted effort related to the development and deployment of (unnecessary) patches. False-negatives are cases in which experts wrongly judge that a vulnerability does not impact the application. As a result, application deployments will not be fixed, but remain exposed to attacks exploiting the vulnerability.